Viruses; nasty pain in the butt!

Viruses; Nasty Pain In the Butt!

Virus Encyclopedia
Special Norton Antivirus SupportNow! News Bulletin
CIH Virus May Hit On Monday 26 April
How to Create a Virus Free Start-Up Disk
The Mother of All Viruses
CIH Update
How CIH works
Glossary of Virus Terms
AVP Virus Encyclopedia, "Computer virus detection and removal methods"

Some of this is from PC Magazine, plus various other sources. As far as the verdict for "The best virus software", Dr Solomon's Anti-Virus 7.0 seems to be the pick. I still use Mcafee.

When it comes to protecting your PC, you have to know the rules. First, you shouldn't download and run programs from non reputable sites. Second, data files can be lethal, too: Launching a Word or Excel file attached to an e-mail message
might be the last thing you do before reformatting your drive.

For Example:
A harmless but annoying e-mail worm called Happy99.exe is spreading fast in Europe and expected to invade the United States soon. (A worm is a virus that makes copies of itself.) Happy99.exe runs when you launch the program, which you would receive as an attachment to e-mail. When the worm is launched, it opens a window and entertains you with fireworks while modifying your WINSOCK32.DLL file. That modification enables Happy99.exe to send copies of itself to your e-mail friends and newsgroup buddies without your awareness. The worm keeps a list of addresses and newsgroups it has infected in a file named LISTE.SKA. Happy99.exe doesn't delete files or destroy data, but it sure is annoying. Win Letter Rule of Thumb: Don't open attachments from strangers!

Now here's the part that really scares me. Security researchers recently discovered that just receiving a craftily concocted e-mail message can put you out of business. It turns out that unethical hackers can crash some versions of Microsoft and Netscape e-mail programs simply by sending you a message containing a file attachment with a very long file name. Worse, determined miscreants can embed program code in that long file name, and get it to run on your computer. If that rogue program's job is to delete your hard disk partition, you may not be checking your mail again soon.

The security flaw affects Windows 95 and 98 versions of Microsoft's Outlook 98 and Outlook Express 4.x, as well as Netscape's Communicator 4.0x and 4.5 suites. Earlier versions of Outlook and Outlook Express (as well as the Windows 3.1 version of Outlook Express 4.0), are unaffected, and other Internet mail programs--including Qualcomm's Eudora products and David Harris's Pegasus Mail--are immune. So far anyway.

Microsoft released patches for its affected mail programs within days of the flaw's discovery. You can find the 4.7MB patch for Outlook 98 at www.microsoft.com/outlook/enhancements/outptch2.asp.
I could not find that patch at the above address, however I did find it at;
Internet Explorer Security http://www.microsoft.com/ie/security/?/ie/security/oelong.htm
If you use Outlook Express, you must first upgrade to Internet Explorer 4.01 with Service Pack 1 (a 2.2MB download). The easiest way to do this is to open Internet Explorer 4.0 and choose Help, Product Updates, which will also install the Outlook Express patch. If you've already upgraded to IE 4.01, you can find a link to the 1MB Outlook Express patch at
www.microsoft.com/ie/security/?/ie/security/oelong.htm.

At press time, Netscape was still working on an update to its Messenger mail program. The fix will be part of Communicator 4.06 and a later 4.5 beta, both of which should be available by the time you read this. To update your copy, choose Help, Software Updates. For more information, see:
home.netscape.com/products/security/ resources/bugs/longfile.html.

Meanwhile, Qualcomm's Eudora Pro 4.0 and 4.0.1 got stung by a similar bug that allows wrongdoers to execute malicious Java programs on your computer by disguising them as Web page links. A 4.7MB version 4.0.2 update at
eudora.qualcomm.com/pro_email/updaters.html closes the hole and fixes dozens of other bugs.
See ftp://ftp.qualcomm.com/eudora/eudorapro/windows/english/updater402/README.txt for details.

Taking Virus Protection to an Illogical Extreme by Lincoln Spector;
Writer for PC Magazine.

Can I remove a memory-resident virus--or any virus--by running DOS's Fdisk and Format commands to wipe out everything on my hard drive?

Don't do it! Reformatting your hard drive takes a huge amount of work and likely won't kill the virus. After all, your boot floppy may also be infected--or your Fdisk or Format programs. Or you could reinfect your system while reinstalling your applications. And some viruses, like Monkey, can survive an Fdisk reformat and make things even worse.

If your antivirus program (you do have one, right?) can't fix the problem, contact the vendor. There may be a solution in the works, and if not, the experts in the lab will want to see what you've got. You can also try another program.

Virus Killers 1998 by Stan Miastkowski
Writer for PC Magazine.

This year, macro viruses are running rampant. Which antivirus program is your best defense?

Virus. The word itself has a menacing hiss. And a computer virus can be as evil as it sounds, snaking its way into your PC, posing an occasional annoyance or a serious threat to your data. Now, with the explosion of pesky macro viruses that infect Microsoft Word and Excel documents, the tentacles of the computer virus problem reach even further into our work.

No one working on a PC is risk free. Even the manuscript of this article infected eight PC World editors' machines with the Cap virus. Talk about your wicked irony. Unfortunately for this particular virus, its victims each had eight antivirus weapons that we were testing for this story: Dr Solomon's Anti-Virus 7.0, F-Prot Professional 2.15, IBM AntiVirus 3.0.1, Inoculan AntiVirus 5.0 for Windows 95, McAfee VirusScan 3.0, Norton AntiVirus 4.0, PC-cillin Anti-Virus 3.0, and ThunderByte Anti-Virus Utilities 8.0.3.

As when we last reviewed antivirus software ("Virus Killers," March 1997), almost any of these packages does a nice job of finding and eradicating most viruses, including macro viruses. The key is to keep the products' library of signatures--binary code that helps identify viruses--current. And that's one area where these packages differ most. When you buy, look closely at the updating that the vendor offers. If keeping signature files up-to-date is too costly or difficult, you won't do it as often, which means you won't be as well protected against the latest viruses. Check out the package's interface and scanning features, too. Just about every one is easy to install, but the best are also easy to use and offer many scanning options as well.

Our Best Buy is Norton AntiVirus 4.0. At $50, it is priced about the same as other packages on the market, and comes chock-full of scanning options. Norton holds your hand through virus detection and removal and tells you exactly what's going on at each step of the way, which few of the others do. Most important, it comes with free automatic updates of signature files for as long as you own the program

Virus Killers 1998 by Stan Miastkowski

Virus.
The word itself has a menacing hiss. And a computer virus can be as evil as it sounds, snaking its way into your PC, posing an occasional annoyance or a serious threat to your data. Now, with the explosion of pesky macro viruses that infect Microsoft Word and Excel documents, the tentacles of the computer virus problem reach even further into our work.

As when we last reviewed antivirus software, almost any of these packages does a nice job of finding and eradicating most viruses, including macro viruses. The key is to keep the products' library of signatures--binary code that helps identify viruses--current. And that's one area where these packages differ most. When you buy, look closely at the updating that the vendor offers. If keeping signature files up-to-date is too costly or difficult, you won't do it as often, which means you won't be as well protected against the latest viruses. Check out the package's interface and scanning features, too. Just about every one is easy to install, but the best are also easy to use and offer many scanning options as well.

Virus Killers By Stan Miastkowski

Computer viruses are coming soon to a pc near you. Don't get paranoid, get antivirus software.

Something's up with your PC. Something bad. It's raining characters in your word processing document. Or perhaps you just received birthday greetings addressed to someone named Joshi. Or maybe you just noticed that half the contents of a directory seem to be missing. Don't look now, but you've got a virus.

Computer viruses are so overhyped in movies and the news, it's easy to shrug them off as one more of life's little risks. Don't. Computer viruses are real, lethal, and coming soon to a PC near you. Thanks to the widespread use of LANs and the Internet, and the advent of macro viruses that spread through e-mail, it's easier than ever for your computer to pick up a nasty bug (see "It Could Happen to You"). If you're lucky, all you'll lose is the time it takes to find and eradicate it. But if your PC's caught a bad virus, your data could be terminal. Take One Half, for instance. This common and lethal virus gradually and secretly encrypts the contents of your hard disk, decrypting them for you on demand. One day, it stops decrypting files when you attempt to access them--and also makes the drive unbootable. Then it's bye-bye, data.

The only way to avoid such disasters is to stop the virus before it can do its damage. As with biological viruses, you can take steps to reduce your risk of infection. But your best shield is an up-to-date antivirus utility. Antivirus programs have been around practically since the dawn of the PC, and as you might expect, they've evolved. The first DOS-based packages had primitive detection schemes, separate removal modules, and few automated features. Most of today's antivirus packages not only integrate detection and removal utilities, they're also cheap (most are under $100), unobtrusive, and effective at finding the latest virus strains. In many cases, a program can also remove the virus and get you back to work quickly.

How to Create a Virus Free Start-Up Disk

This is from McAfee Virus Support http://www.mcafee.com/

It is important for DOS and Windows users to have a clean (non-infected) start-up diskette in order to remove some viruses.

IMPORTANT: Your system must be virus free to make a clean start-up diskette. Any virus that is resident in your system could be transferred to your start-up diskette and re-infect your system. If your computer is infected, go to another computer that is not infected and proceed with creating the virus free start-up disk. If you are not sure if a system is infected or not, install Virus Scan on the system. During the installation process a scan will be done and you should be notified if that system is infected.

NOTE: A start-up disk created on a Windows 95 system will access the hard drive for information about the computer. Because of this, a start-up disk created on a DOS 6.22 (or lower) system may be required to remove some viruses. Also, if you use a DOS 6.22 (or lower) system to make the disk, you can use one disk instead of two, just copy the Virus Scan files mentioned to the first start-up disk that you create.

1. How to Create a Virus Free Start-Up Disk

In DOS, start from the system prompt (C:\>). In Windows you will need to go to a DOS prompt.

Put a blank disk in the A: drive.

CAUTION: This procedure will overwrite any information the diskette contains.

Type this command at the c:\> prompt: format a: /s

Since we used the "/s" option, you should get a message that says "system transferred". When the system prompts your for a volume label, you may enter an appropriate name (such as Virusfree01) using no more than 11 characters, or you may just hit enter to leave it blank.

Now type this command: attrib –r –a –s –h a:*.bin

Now type this command: del a:*.bin

Now type this command: copy c:\windows\himem.sys a:

Your system should respond with "1 file(s) copied".

Now type this command: copy c:\windows\emm386.exe a:

Your system should respond with "1 file(s) copied".

Still at the c:\> prompt, type: edit a:\config.sys

You should be at a blank blue screen. Type the following three lines:

dos=high

device=himem.sys

device=emm386.exe ram 65536

Now hold down the Alt key and hit the letter F, this should bring up the file menu. Now hit the letter X, this should prompt you to save the file so hit Y.

Remove this diskette and write-protect it by moving the tab to an open position. You should be able to see through both holes in the disk. You will also want to label this disk "Virus Free Start-up Disk" (or some other appropriate name) for future reference.

2. How to Create a Virus Scan Disk

It would also be a good idea to have a disk that you can run a virus scan from. In order to do this, go to a system that has Virus Scan installed and is not getting a virus warning.

In DOS, start from the system prompt (C:\>). In Windows you will need to go to a DOS prompt.

Put a blank disk in the A: drive.

CAUTION: This procedure will overwrite any information the diskette contains.

Type this command at the c:\> prompt: format a:

When the system prompts your for a volume label, you may enter an appropriate name or you may just hit enter to leave it blank.

Change to the Virus Scan directory by typing CD\directory, where directory is where Virus Scan is installed. (Example, CD\mcafee\viruscan is the default on a Windows 3.x or DOS system and CD\progra~1\mcafee\viruss~1 is the default on a Windows 95 system) If you are not sure what directory Virus Scan is installed in, type: dir c:\scan.exe /s and make a note of where the most recent scan.exe file is found and change to that directory.

Type the following commands:

copy scan.exe a:

copy clean.dat a:

copy names.dat a:

copy scan.dat a:

Your system should respond with "1 file(s) copied" after each command. Remove this diskette and write-protect it by moving the tab to an open position. You should be able to see through both holes in the disk. You will also want to label this disk "Virus Scan Disk" (or some other appropriate name) for future reference. This is the diskette that will be used to actually run the scan and remove any viruses.

3. How to Use These Two Disks to Remove a Virus

Go to the computer that you believe is infected and turn it off as you normally would. It is very important to actually turn the power off since some viruses can survive a ctrl-alt-del and/or a reset.

Put the first disk ("Virus Free Start-up Disk") in the A: drive and turn the system on. Your system may give you a message similar to "memory pool adjusted", you can just ignore that and press a key if it asks you to. Your computer may ask you to type the date and time, just hit enter if it does. When you get to the A:\> prompt, take out the first disk and insert the second disk ("Virus Scan Disk").

At the A:\> prompt, type: scan c: /clean /nomem

NOTE: If you are using one disk to boot and another disk to run the scan program, you may get an error message asking for the command interpreter. If you do, insert the start-up disk again and type: a:\command.com

The Mother of All Viruses

By Luke Reiter and Jim Louderback

On the 26 of each month, the devastating Win95/CIH virus is programmed to strike. Experts say its payload is unprecedented: If you're infected, your computer may simply stop working. While this virus was first detected just in time for the July 26 deadline, we wanted to bring it back to your attention in time for January 26. Here's what the virus is, and how to avoid it.

The virus was first identified by Virus Bulletin, a premier subscription newsletter about viruses with a research laboratory in Great Britain. According to Nick FitzGerald, the Bulletin's editor, the virus goes beyond the traditional disk-trashing mayhem of other rogue programs.

Computers based on Intel-compatible processors use a Basic Input Output System (BIOS) to for cold start-ups. The BIOS is software that initializes and manages the data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard; it sits between those hardware devices and the operating system and applications.

Most desktop, server, and notebook computers built in the last few years store their BIOS on a flash ROM chip. These flash chips are rewritable, which allows users and manufacturers to upgrade the BIOS with new capabilities, or to fix bugs.

The CIH virus is the first to attack the software code stored in those flash BIOS chips. The virus overwrites part of the BIOS code that's stored in some flash ROM chips. In fact, it overwrites the part of the BIOS program that runs first when the system is powered up or reset.

As a result, the virus can render your computer unbootable-- it just won't start up when you turn on the power.

CIH Update

The devastating Win95/CIH virus is about to strike again-- what have antivirus experts learned since the virus was first discovered?

By Alex Wellen

The 26th is here again. You might call it "C" day. I say that because the CIH virus is designed to trigger on the 26th of every month. Although this article was first published in time for the August 26 payload, it's been updated for this round of CIH.

The CIH virus, which can severely damage PCs, has been spreading since it was first discovered last July. Antivirus companies report that in 1998, there were roughly 3,500 reports of the CIH virus. These figures confirm that CIH was the most notorious virus of 1998. Panda reported 139 customers and Symantec 135. Trend Micro says CIH topped its charts-- 360 customers were hit and one of them reported 700 computers infected.

Meanwhile, while Network Associates' reports were low, they received more than 900 inquiries. And finally, Ontrack saw 2000 instances.

So what does this mean for consumers? If you're running Windows 95 or 98 on a Pentium-based machine you may be vulnerable to this virus. According to experts, it's the first virus that has the potential to cause physical damage to your computer.

Contracting CIH

Here's a quick review of how the virus works, and what's at risk.

First, you've got to contract the virus. That can happen a number of ways:

The most popular way is by downloading an infected file off the Internet. Another way is by sharing disks and opening an infected file off the disk. Finally, you can contract the virus by opening an infected file attached to an email.

The infected file must be an executable file-- meaning a file ending with .exe, like video games and business applications.

How CIH works

Once you've run an infected program, it goes resident in memory-- it just sits there and waits.

Now, whenever you open another executable file, the infected program checks to see if it's a "portable executable" file (that's the format used for executable files in Windows 95 and 98).

The virus then checks whether the file can be infected. It can only be infected if there's enough room for the virus.

If there is enough room, it infects the file. If the virus can't infect the file-- or if the file has already been infected-- it checks the next condition.

The next condition

Is it the 26th of the month?

If the answer is yes, the virus tries to overwrite your BIOS. Then it trashes your hard drive.

Some months, the 26th falls on a weekend. For most businesses that means computer power switches can simply be left in the "off" position. This month, the 26th falls on a Tuesday-- and businesses should take precautions against the potential harm.

Special Norton Antivirus SupportNow! News Bulletin

This is a special Norton Antivirus SupportNow! News Bulletin
April 26, 1999

1.0 THE REAL SCOOP ON THE W95.CIH (Chernobyl) VIRUS
1.1 Information About W95.CIH
1.2 If Your System is Already Infected:

Using the Kill_CIH tool

1.3 Recovering when the payload has been delivered
1.0 THE REAL SCOOP ON THE W95.CIH (Chernobyl) VIRUS

This is an update on the W95.CIH virus, and the amount of news media coverage the virus generating. This virus is also known as PE_CIH, WIN95:CIH 1.x, Win95.CIH, Win32/CIH, Win32.Cih, W95/CIH.1003, Chernobyl or the W32.CIH.Spacefiller virus.

This is not a new virus, but rather an old virus.

NOTE:
We have protected machines against this virus since last summer.
____________________________________
This virus was discovered around June 1998 in Taiwan. One variant delivers a very destructive payload on April 26th, which is the anniversary of the Chernobyl disaster. Others deliver the payload on the 26th of any month. The virus may format your hard disk and may also corrupt your BIOS on certain machines with a certain type of BIOS. This is not a Microsoft Word macro virus. The CIH virus is spread in Windows 95 executable files (files with the .EXE extension). When an infected program is run, the virus becomes memory resident and subsequently infects other programs when they are executed or copied.

Symantec's AntiVirus Research Center considers the W95.CIH virus to be in "the wild". However, if you are using virus definitions newer than June 1998, you are FULLY PROTECTED from this virus.

Consider the following:

Symantec's Norton AntiVirus has long detected and repaired systems against this virus under the name of W95.CIH. Many corporations and retail users updated their virus definitions during the Melissa incident, which also would have protected their machines against the Chernobyl virus. This virus only infects Windows programs. It is much less common to share Windows programs than it is to share a document containing a macro virus.

1.1 INFORMATION ABOUT W95.CIH

W95.CIH is a virus that infects Windows 95 executables (files with .EXE extension). When an infected program is run, the virus loads into memory. W95.CIH then infects new files when they are opened (for instance when they are run or copied). This means that an infected system must be rebooted from a clean system disk before scanning with NAV or any antivirus product. If you don't boot from a clean floppy diskette, the virus will infect every file that the antivirus software scans. Infected files are the same size as the original files, due to W95.CIH's unique mode of infection, which is as follows:

1.It looks for empty, unused spaces in the file.
2.It breaks itself up into smaller pieces.
3.It hides in these unused spaces. NAV can repair an infected file by looking for these virus pieces and removing them from the file.

1.2 IF YOUR SYSTEM IS ALREADY INFECTED:

USING THE KILL_CIH TOOL If your system is already infected or you would like to innoculate your system from being infected with the Chernobyl virus, you can download the KILL_CIH tool at his web address:
http://www.sarc.com/avcenter/kill_cih.html

The KILL_CIH tool safely detects and removes all known strains (as of August 3rd, 1998) of the W95.CIH (Chernobyl) virus from memory under Windows 95 and Windows 98. If you run this tool before the virus infects your system, the tool will "inoculate" the computer's memory to prevent the W95.CIH virus from infecting your system until the next system reboot.

NOTE:
If you are already infected with the W95.CIH virus, run the KILL_CIH tool first before you try to update your antivirus definitions or scan your system.

If you try to scan with an antivirus product without first running this tool, you run the risk of spreading the infection. Once you have used this tool, you can safely update your Norton AntiVirus definitions and scan your machine.

NOTE:
The KILL_CIH tool will not detect or remove the W95.CIH virus from files. It will disable the virus in memory so an antivirus program can remove the infection without inadvertently spreading the virus. You can obtain a freeware version of Norton AntiVirus to detect and remove the virus from files on the Symantec web site at: http://www.symantec.com/nav/navc.html

You can run the CIH removal tool from either the DOS command line or from a login script, which enables a network administrator to automate the disinfection process. This means that an administrator does not have to go to each workstation on a network and reboot from a clean floppy in order to clean the computer. After using this tool, you should update your virus definitions and start a complete scan of the computer with an antivirus program such as Norton AntiVirus. This will eliminate the virus and repair any damaged files.

The tool avoids infection by the virus and can safely be run without becoming infected-- if the virus is resident on a computer.

1.3 Recovering when the payload has been delivered

The virus can do two things when it executes on the 26th of the month:

1.It can overwrite critical data areas in the first

2048 sectors of your hard disk. When that happens, you will see a "non-system disk" when the system boots from the hard drive or an "invalid media" message when you try to boot from a system floppy disk or a rescue disk. In these cases, you will need Norton Utilities or Norton Data Recovery Services to recover data on your hard disk. If you choose Symantec's Data Recovery Services, you will need to ship your hard disk to Symantec. Cost for these services is $250 for FAT16 drives and $400 for FAT32 drives. Additional is at:

http://www.symantec.com/techsupp/recovery/pc/pcdr.html

2.It can overwrite your system BIOS. When that happens, you will need to contact your BIOS vendor and download your BIOS information and flash your BIOS if you can access your floppy disk.

NOTE:
Cases when the BIOS are overwritten are extremely rare. If your computer fails to function because the BIOS has been overwritten, you may need to replace either the BIOS or motherboard.

• Back To The Top

• Back To Home